b"\xc2\xa0\n\x0c                  u.s. GENERAL SERVICES ADMINISTRATION\n                  Office of Inspector General\n\n\n\n    Date:\t        September 8, 2008\n\n    Reply to:\t    Gwendolyn A. McGowan\n                  Deputy Assistant Inspector General for Information Technology Audits\n                  (JA-T)\n\n    To:\t          Gail T. Lovelace\n                  Chief Human Capital Officer (C)\n\n    Subject:\t     Improved Access Controls Could Help Protect Personnel Information within the\n                  Comprehensive Human Resources Integrated System (CHRIS)\n                  Report Number A060246/0/T/F080 13\n\n    This report presents the results of our audit of specific access controls implemented with the\n    Comprehensive Human Resources Integrated System (CHRIS) and highlights our audit findings\n    and recommendations to Office of the Chief Human Capital Officer (OCHCO) management for\n    improving system access controls for CHRIS. We have coordinated closely throughout the audit\n    with system officials on specific Information Technology (IT) security issues we identified. We\n    presented detailed information in a briefing to the OCHCO on June 11, 2008, and a copy of those\n    siides are included as Appendix A. Due to the sensitive information contained in the Appendix\n    related to the results of our technical security control scans, only reports provided to the OCHCO\n    and the Office of the ChiefInformation Officer (OCIO) contain Appendix A.\n\n    Background\n\n    The OCHCO deployed CHRIS, a customized version of Oracle's Federal I-Iuman Resources\n    Management System (OFHR), in August 2000 to provide on-line capabilities through a client\n    server environment and improve Human Resources (HR) processing. CHRIS is used to initiate,\n    generate, and store personnel actions and provide HR data used to produce reports for GSA and\n    its Federal customers to meet internal and external reporting requirements. Over the past seven\n    years, CHRIS has undergone significant changes, including transitioning to providing users web\xc2\xad\n    based access over GSA's network in December 2001, providing GSA Associates with web-based\n    access to their own personnel information within the system in September 2004, and\n    implementing award functionality in March 2006.\n\n    Objective, Scope, and Methodology\n\n    The object of this review was to determine: (1) if management, operational, and technical\n    controls have been implemented within CHRIS to appropriately limit access to sensitive\n    personnel information; (2) if not, what vulnerabilities exist that may allow improper or\n    fraudulent activity; and (3) what compensating controls should be implemented to ensure that\n    CHRIS access controls support the mission and goals of Agency Services and Staff Offices\n    (S/SO)? We gathered information related to the implementation of access controls and analyzed\n\n                         241 18th Street S., CS4, Suite 607, Arlington, VA 22202-3402\n                                                        ~\n                               Federal Recycltng Program ~, Printed on Recycled Paper\n\n\n\nI\n\x0ckey security documentation. We surveyed key Agency personnel and members of their staff,\nincluding the Chief Human Capital Officer (CHCO); OCHCO, Director, Office of Information\nManagement; system security officials; and other OCHCO personnel responsible for developing,\nmaintaining, and operating the system. We also interviewed representatives from other GSA\nS/SOs and Federal agencies that use the CHRIS system, including the National Archives and\nRecords Administration (NARA) in College Park, Maryland and the National Credit Union\nAssociation (NCUA) in Alexandria, Virginia. Our review focused on users with Manager Self\nService access for CHRIS and the sensitive HR information that can be obtained through CHRIS\non-line. We used commercially available tools and agreed upon procedures to complete network\nsecurity scanning, examine database configuration, and review web application security for\nCHRIS.\n\nTo assess managerial, operational, and technical controls for CHRIS, we relied on applicable\nstatutes, regulations, policies, and operating procedures regarding the development,\nimplementation, and testing of IT system access controls, such as: Office of Management and\nBudget (OMB) A-130, Appendix III, Security of Federal Automated Information Resources,\nNovember 28, 2000; the GSA IT Security Policy, CIO P 2100.1D, June 2007; the GSA Chief\nInformation Officer\xe2\x80\x99s (CIO) IT procedural guides on certification and accreditation, security test\nand evaluation, configuration management plans, security incident handling, and managing\nenterprise risk; the Federal Information Security Management Act of 2002; OMB Memorandum\nM-06-16, Protection of Sensitive Agency Information, June 2006; and National Institute of\nStandards and Technology (NIST) special publications for securing Federal information systems.\nWe conducted this performance audit work in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objective. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives. The scope of our audit did not\naddress overall functionality provided with CHRIS, training of users, or physical access controls.\nThe review also did not assess the accuracy and integrity of the data the system maintains.\n\nHighlights of Audit Findings\n\nCHRIS is GSA\xe2\x80\x99s agency-wide automated HR management system. In implementing CHRIS, the\nOCHCO provided important on-line capabilities and improved HR processes for GSA\nAssociates and employees of other Federal agencies that have contracted with GSA to use\nCHRIS. Our review identified several areas where improved access controls for CHRIS could\nhelp to better protect personnel information. We found that careful consideration of the system\xe2\x80\x99s\nfunctionality and controls is needed to better restrict access to certain personnel data. Overall,\nimproved access controls would help to enforce \xe2\x80\x9cLeast Privilege\xe2\x80\x9d requirements for CHRIS.\nIndependent reviews of CHRIS audit logs could also help to address \xe2\x80\x9cSeparation of Duties\xe2\x80\x9d\ncontrol risks, and careful consideration of controls for system reporting capabilities would\ngreatly assist in efforts to protect CHRIS data. Our review also found that prompt security\nenhancements could improve CHRIS. The OCHCO should take steps to strengthen access\ncontrols for CHRIS to (1) better ensure that personnel information is protected from\nunauthorized disclosure, access, and modification and (2) preserve authorized access restrictions.\n\n\n\n\n                                                2\n\n\x0cImproved Access Controls Would Help to Enforce Least Privilege Requirements for CHRIS.\nGSA\xe2\x80\x99s CHRIS system has been designated as a moderate risk system that requires \xe2\x80\x9cLeast\nPrivilege\xe2\x80\x9d access to data and processes. Specifically, Least Privilege is a policy that requires that\na system\xe2\x80\x99s user be given no more access than necessary to perform his or her official duties.\nImplementing Least Privilege effectively requires the (1) identification of specific tasks a user\nneeds to be able to perform, (2) determination of the minimum set of privileges required to\nperform those tasks, and (3) restriction of the user to no more than those privileges needed to\nperform those specified tasks. Procedures provided by the GSA-CIO for system access control\nrequires that Least Privilege be implemented for GSA\xe2\x80\x99s moderate risk systems. As such, only\npersonnel with proper authorization and a \xe2\x80\x9cneed-to-know\xe2\x80\x9d should be allowed access to data\nprocessed, handled, or stored within the CHRIS system. Further, CHRIS security documentation\nstates that users are given the least amount of privileges or access needed to perform their duties.\nThe Privacy Impact Assessment (PIA) 1 developed for CHRIS also provides information on\naccess for the groups of users for the system and the amount of access each user group should\nhave. The users in the \xe2\x80\x9cmanagers and supervisors\xe2\x80\x9d group are described in the PIA as having\nread-only access to their direct reports, with the ability to review limited personnel and benefit\ninformation as well as assignment position, education, training, and performance appraisal\ninformation for their employees. Our review found that managers and supervisors, through the\n\xe2\x80\x9cManager Self Service\xe2\x80\x9d menu, can create, view, modify, and approve performance plans,\nappraisals, and awards for their direct employees. Managers and supervisors with \xe2\x80\x9cManager Self\nService\xe2\x80\x9d access can also issue awards and view award amounts and justifications for GSA\nemployees from other S/SOs. Because the system does not restrict information that can be input\ninto the award justification data field, supervisors are free to include project-specific or other\ninformation about individuals receiving awards. As such, award justifications within CHRIS can\ncontain sensitive information about other GSA divisions and personnel activities. 2 However,\naward-related information could be used for unofficial purposes, and restricting access based on\na \xe2\x80\x9cneed-to-know\xe2\x80\x9d could help to better manage risk associated with unauthorized access under the\nLeast Privilege policy.\n\nCHRIS officials explained that the system was designed to delegate award authority and enable\nmanagers to recognize staff who may not be assigned to their office. Through discussions with\nseven managers from the Public Buildings Service (PBS), Federal Acquisition Service (FAS),\nand Staff Offices at GSA\xe2\x80\x99s Central Office, we found instances, however, where supervisors who\nissue awards were unaware that managers from other S/SOs had access to award information.\nMost managers we spoke with informed us that they would prefer that access to their employee\naward information be restricted to only those within their own organizations who have a need to\naccess award information. We also found that Human Resources specialists from the National\nArchives and Records Administration (NARA) currently use a customized version of the CHRIS\nawards module to provide for restricted access to NARA award information. This capability\nprovides NARA managers the ability to issue an award to an employee from another office\nwithout access to information on the award amounts and justifications input by another manager.\n\n\n\n1\n  A PIA addresses privacy issues associated with the collection and retention of sensitive information and examines \n\nthe risks and effects of collecting, maintaining, and disseminating information in identifiable form.\n\n2\n  The two exceptions to this are Senior Executive Service employees and Office of Inspector General investigators.\n\n\n\n                                                         3\n\n\x0cIn September 2005, 3 we recommended that the CHCO conduct a post-implementation review for\nCHRIS: (1) validate estimated benefits and costs for CHRIS, (2) evaluate CHRIS to ensure\npositive return on investment, and (3) ensure that the system meets organizational and user\nneeds. Subsequently, during this audit, we were informed that the OCHCO planned to do an\noperational analysis in lieu of a post-implementation review. The OCHCO has since put\ncompletion of the operational analysis on-hold until a decision is made at GSA as to how to\nmove forward, to either continue with CHRIS or move to a selected HR Shared Service Center\n(SSC). Given the access control weaknesses we have identified, we re-affirm the importance of\ncompleting a comprehensive assessment, including an evaluation of the controls implemented for\nand functionality provided with the system, to determine how well the system is meeting all user\nand management requirements and whether required controls, including provisions to enforce\nLeast Privilege, are in place and operating as intended.\n\nEnsuring Independent Reviews of CHRIS Audit Logs Could Help to Address Separation of\nDuties Control Risks. There is a potential conflict of interest when the same person who\nadministers access control functions also administers audit functions for any system. Effective\n\xe2\x80\x9cSeparation of Duties\xe2\x80\x9d is achieved by dividing responsibilities among two or more individuals or\norganizational roles to diminish the likelihood that errors and wrongful acts will go undetected,\nsince the activities of one individual or group serve as a check on the activities of the other.\nAudit trails can also be used in concert with access controls to identify and provide information\nabout users who are suspected of improper access to or modification of data (e.g., introducing\nerrors into a database). When audit trails are activated for a system, comparisons can then be\nmade between the actual changes made to records and what was expected. This practice can\nhelp management determine if errors were made by the user, by the system or application\nsoftware, or by some other source. System resources should also be monitored to detect\nunauthorized activity and deviations from the access control policy, and verify the effectiveness\nof implemented security controls. NIST Special Publication 800-53 and the GSA IT Security\nPolicy 4 require that the Agency\xe2\x80\x99s information systems enforce Separation of Duties\nrequirements, including those between access control functions and auditing procedures. Our\nreview found that, due to limited personnel resources for CHRIS, the OCHCO had not\nimplemented Separation of Duties for system auditing and monitoring. While we recognize the\nchallenges that limited resources place on organizations, we re-affirm the importance of\nimplementing key controls to ensure that personnel information is adequately protected and that\npotential unauthorized activity within the CHRIS system is identified and investigated.\n\nCareful Consideration of Controls for System Reporting Capabilities Is Needed to Protect\nPersonnel Information. CHRIS relies on the Commercial-off-the-Shelf (COTS) product\nBusiness Objects, managed by PBS, for reporting. GSA, like other organizations, is becoming\nincreasingly reliant on information system services that are implemented outside of the system\xe2\x80\x99s\naccreditation boundary, which are used by, but not a part of, the organizational information\nsystem. In general, the growing dependence on external service providers and new relationships\nbeing forged with those providers can present new and difficult challenges, especially in the area\nof information system security. However, the responsibility for adequately mitigating risk to\n\n3\n  Strategic Challenges for GSA\xe2\x80\x99s Comprehensive Human Resources Integrated System (CHRIS), Report Number \n\nA040142/O/T/F05025, September 30, 2005. \n\n4\n  GSA Order, CIO P 2100.1D, GSA Information Technology (IT) Security Policy, July 21, 2007. \n\n\n\n                                                    4\n\n\x0cagency-wide and customer HR operations and assets arising from the use of external information\nsystem services remains with the authorizing official for the system. Our review found that the\nOCHCO had not yet assessed controls for or risks associated with accessing CHRIS personnel\ninformation through the Business Objects reporting utility. NIST recommends that organizations\nthat own and operate interconnected systems should establish a Memorandum of Understanding\n(MOU) that defines the responsibilities of both parties in establishing, operating, and securing an\ninterconnection. An MOU between the OCHCO and the PBS OCIO for services supporting\nCHRIS access to the PBS Business Objects enterprise server software license and associated\ntools was established in March 2001. The MOU documents the number of users that will access\nthe Business Objects software and that need computer-based training, as well as the cost to the\nOCHCO for those services for a two-year period. The details of the interconnection and the\ncontrols required for the protection of personnel information accessed through the Business\nObjects reporting utility, however, have not yet been established. For instance, key roles and\nresponsibilities for securing the interconnection and CHRIS data for PBS and the OCHCO are\nnot yet clear. The potential impact of this type of operating environment was highlighted on\nJune 4, 2007 when an authorized CHRIS user from NARA inadvertently accessed and displayed\nemployee records from all Agencies with information stored in the CHRIS database using the\nPBS Business Objects utility. Prompt action was taken by the OCHCO to identify the\nvulnerability and to make every attempt to avoid a reoccurrence. However, this security incident\nhighlighted the need to have a complete MOU in place to adequately define roles and\nresponsibilities for securing CHRIS data accessed through Business Objects and identify\nrequired controls to manage risks, including unauthorized or unintentional access to or disclosure\nof personnel information. To address this need, we believe it is important for the OCHCO to\nclosely coordinate with PBS and establish a MOU that defines roles and responsibilities for\nsecuring CHRIS data for PBS and the OCHCO and that identifies security controls required to\nappropriately restrict personnel data provided with the Business Objects reporting utility.\n\nPrompt Security Enhancements Could Improve CHRIS. We applied commercially available\nvulnerability assessment tools, manual techniques, and agreed upon procedures to test technical\ncontrols for CHRIS. Testing included reviewing web application security and examining\ndatabase configuration. The tests identified opportunities to reduce risk to the CHRIS web\napplication and database. We met with system security officials the end of May 2007 and\nconveyed the detailed results of our system security scanning. We also re-scanned the database\nin July 2007 after a system upgrade and discussed updated results with system security officials.\nVulnerabilities identified with our scanning of the CHRIS Oracle database involve recording the\nactions taken by users in the database, including the activity of privileged users. These\nvulnerabilities could make it more difficult to detect when an attack occurs and to be able to\nanalyze the attack after the fact. Automated scanning of the CHRIS web application identified\npossible SQL injections and instances where exceptions were not being appropriately handled,\nboth of which could enable an attacker to exploit the vulnerability and gain unauthorized access\nto the database and its contents. Manual web application testing identified additional\nopportunities to harden the system, such as eliminating cross site scripting and delaying logins,\nto reduce risk. Specific vulnerabilities identified during our review are included in the briefing\nslides provided as Appendix A. Due to the sensitive nature of the information, only reports\ngiven to the OCHCO and OCIO contain this appendix. Taking specific steps to secure the\nCHRIS database and web application would reduce the likelihood that the system could be\n\n\n\n                                                5\n\n\x0ccompromised due to known vulnerabilities, which could put personnel information and the\nCHRIS system at undue risk.\n\nRecommendations\n\nTo better restrict access to personnel information, we recommend that the Chief Human Capital\nOfficer:\n1.\t Complete a comprehensive assessment, including an evaluation of access controls\n    implemented for and functionality provided with the system, to determine if CHRIS has been\n    implemented in accordance with user and management requirements and whether Least\n    Privilege controls are in place and operating as intended.\n2.\t Ensure independent reviews of CHRIS auditing and monitoring logs are completed.\n3.\t Coordinate with PBS to establish a MOD that defines roles and responsibilities for securing\n    CHRIS data for PBS and the OCHCO and identifies security controls required to protect\n    personnel data viewed with the Business Objects reporting utility.\n4.\t Address CHRIS technical vulnerabilities and ensure all known vulnerabilities are promptly\n    recorded and mitigated.\n\nManagement Comments\n\nThe CHCO concurred with all audit findings and recommendations. A copy of the CHCO's\ncomments is provided in its entirety as Appendix B.\n\nInternal Controls\n\nThe objective of this review was to determine: (1) if management, operational, and technical\ncontrols have been implemented within CHRIS to appropriately limit access to sensitive\npersonnel information; (2) if not, what vulnerabilities exist that may allow improper or\nfraudulent activity; and (3) what compensating controls should be implemented to ensure that the\nCHRIS access controls support the mission and goals of Agency Services and Staff Offices\n(S/SO)? This report states the need to strengthen specific access controls for CHRIS in order to\nbetter protect personnel information. This review did not address overall system functionality or\nphysical access controls. We also did not assess the integrity or accuracy of the information\nmaintained in the system.\n\nI wish to express my appreciation to you and your staffs for your cooperation during the audit. If\nyou have any questions, please contact me or Gwen McGowan, Deputy Assistant Inspector\nGeneral for IT Audits, on 703-308-1223.\n\n\n\n\n ~~m~\nJennifer :rvr. Klimes\nAudit Manager, Information Technology Audit Office (JA-T)\n\n\n\n\n                                                6\n\x0c                           IMPROVED ACCESS CONTROLS \n\n                         COULD HELP PROTECT PERSONNEL\n\n                     INFORMATION WITHIN THE COMPREHENSIVE \n\n                          HUMAN RESOURCES INTEGRATED \n\n                                 SYSTEM (CHRIS) \n\n                         REPORT NUMBER A060246/O/T/F08013\n\n\n                   APPENDIX A \xe2\x80\x93BRIEFING SLIDES TO THE CHCO\n\nDue to the sensitive nature of the information contained in this appendix, only reports provided\nto the Office of the Chief Human Capital Officer (OCHCO) and the Office of the Chief\nInformation Officer contain a copy of the briefing slides used to present detailed information to\nthe OCHCO on June 11, 2008. Requests for copies of these slides should be referred to\nGwendolyn McGowan, Deputy Assistant Inspector General for Information Technology Audits,\nor Jennifer Klimes, Audit Manager, on 703-308-1223.\n\n\n\n\n                                              A-1                                               \n\n\x0c             IMPROVED ACCESS CONTROLS\n           COULD HELP PROTECT PERSONNEL\n       INFORMATION WITHIN THE COMPREHENSIVE\n            HUMAN RESOURCES INTEGRATED\n                   SYSTEM (CHRIS)\n           REPORT NUMBER A060246/O/T/F08013\n\nAPPENDIX B \xe2\x80\x93 GSA CHCO\xe2\x80\x99S RESPONSE TO THE DRAFT REPORT\n\n\n\n\n                        B-1\n\x0c                         IMPROVED ACCESS CONTROLS \n\n                       COULD HELP PROTECT PERSONNEL\n\n                   INFORMATION WITHIN THE COMPREHENSIVE \n\n                        HUMAN RESOURCES INTEGRATED \n\n                               SYSTEM (CHRIS) \n\n                       REPORT NUMBER A060246/O/T/F08013\n\n\n                      APPENDIX C \xe2\x80\x93 REPORT DISTRIBUTION\n\n                                                                                 Copies\nWith Appendix A\n\nChief Human Capital Officer, Office of the Chief Human Capital Officer (C)\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..3\n\nChief Information Officer, Office of the Chief Information Officer (I).\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.2\n\nWithout Appendix A\n\nChief Information Officer, Public Buildings Service (PG)\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...1\n\nAssistant Inspector General for Auditing (JA and JAO)\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.2\n\nAdministration and Data System Staff (JAS)\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..1\n\nDeputy Assistant Inspector General for Finance and Administrative Audits (JA-F)\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..1\n\nAssistant Inspector General for Investigations (JI)\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.....1\n\nInternal Control and Audit Division (BEI)\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..1\n\nAudit Liaison, Office of the Chief Human Capital Officer (C)\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...1\n\n\n\n\n                                         C-1 \n\n\x0c"